AuditClaw IDP
Companion skill for auditclaw-grc. Collects compliance evidence from Google Workspace and Okta identity providers using read-only API calls.
8 checks | Read-only API access | Evidence stored in shared GRC database
Security Model
- - Read-only access: Google Workspace uses
admin.directory.user.readonly scope only. Okta uses okta.users.read, okta.factors.read, okta.policies.read scopes only. No write/modify permissions. - Credentials: Uses standard env vars for each provider. No credentials stored by this skill.
- Dependencies: Google API client + requests (all pinned in requirements.txt)
- Data flow: Check results stored as evidence in
~/.openclaw/grc/compliance.sqlite via auditclaw-grc
Prerequisites
- - Google Workspace: Service account JSON with domain-wide delegation, admin email for impersonation
- Okta: API token (SSWS) with read-only scopes
- INLINECODE5
- auditclaw-grc skill installed and initialized
Environment Variables
Google Workspace (optional; skip if not configured)
- -
GOOGLE_WORKSPACE_SA_KEY: Path to service account JSON file - INLINECODE7�: Super admin email to impersonate
Okta (optional; skip if not configured)
- -
OKTA_ORG_URL: Okta organization URL (e.g., https://mycompany.okta.com) - INLINECODE9�: Okta API token
Commands
- - "Run IDP evidence sweep": Run all checks for configured providers
- "Check Google Workspace MFA": Run Google MFA check
- "Check Okta password policies": Run Okta password policy check
- "Show IDP integration health": Last sync, errors, evidence count
Usage
All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite
via the auditclaw-grc skill's db_query.py script.
To run a full evidence sweep (all configured providers):
�CODEBLOCK0
To run checks for a specific provider:
�CODEBLOCK1
To run specific checks:
�CODEBLOCK2
Check Categories (8)
| Check | Provider | What It Verifies |
|---|
| googlemfa | Google Workspace | All active users have 2SV enrolled + enforced |
| googleadmins |
Google Workspace | Super admin count 2-4, all with 2SV |
|
google_inactive | Google Workspace | No active users with lastLoginTime > 90 days |
|
google_passwords | Google Workspace | All users have passwordStrength == "STRONG" |
|
okta_mfa | Okta | All active users have at least 1 MFA factor enrolled |
|
okta_passwords | Okta | Password policy: minLength>=12, history>=5, maxAttempts<=5, maxAge<=90 |
|
okta_inactive | Okta | No active users with lastLogin > 90 days |
|
okta_sessions | Okta | MFA required, session lifetime <= 12h, idle <= 1h |
Evidence Storage
Each check produces evidence items stored with:
- - �INLINECODE10
- INLINECODE11
- INLINECODE12�: Mapped to relevant SOC2/ISO/NIST/HIPAA controls
- INLINECODE13�: Human-readable finding summary
- INLINECODE14�: JSON details of the check result
Setup Guide
AuditClaw supports two identity providers. Configure one or both.
Google Workspace Setup
Step 1: Enable Admin SDK API
Go to Google Cloud Console → APIs & Services → Library → Enable "Admin SDK API"
Step 2: Create Service Account
IAM & Admin → Service Accounts → Create. Enable domain-wide delegation.
Step 3: Grant OAuth Scopes
In Google Admin → Security → API controls → Domain-wide delegation, add the service account with:
- - �INLINECODE15
- INLINECODE16
Step 4: Set Environment Variables
- - GOOGLEWORKSPACESAKEY=/path/to/service-account.json
- GOOGLEWORKSPACEADMINEMAIL=admin@yourdomain.com
Okta Setup
Step 1: Create API Token
Okta Admin → Security → API → Tokens → Create Token. Name: auditclaw-scanner
Step 2: Required Permissions
The token inherits the creating admin's permissions. Needs read access to: users, factors, policies.
Scopes: okta.users.read, okta.factors.read, �INLINECODE19
Step 3: Set Environment Variables
- - OKTAORGURL=https://mycompany.okta.com
- OKTAAPITOKEN=your-token-here
Verify Connection
Run: �INLINECODE20
The exact permissions are documented in scripts/idp-permissions.json. Show with:
python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider idp
AuditClaw IDP
auditclaw-grc的配套技能。通过只读API调用从Google Workspace和Okta身份提供商收集合规性证据。
8项检查 | 只读API访问 | 证据存储在共享GRC数据库中
安全模型
- - 只读访问:Google Workspace仅使用admin.directory.user.readonly范围。Okta仅使用okta.users.read、okta.factors.read、okta.policies.read范围。无写入/修改权限。
- 凭据:使用每个提供商的标准环境变量。此技能不存储任何凭据。
- 依赖项:Google API客户端 + requests(全部固定在requirements.txt中)
- 数据流:检查结果通过auditclaw-grc作为证据存储在~/.openclaw/grc/compliance.sqlite中
前提条件
- - Google Workspace: 具有域范围委派的服务账号JSON,用于模拟的管理员邮箱
- Okta: 具有只读范围的API令牌(SSWS)
- pip install -r scripts/requirements.txt
- 已安装并初始化auditclaw-grc技能
环境变量
Google Workspace(可选;如未配置则跳过)
- - GOOGLEWORKSPACESAKEY:服务账号JSON文件的路径
- GOOGLEWORKSPACEADMINEMAIL:用于模拟的超管邮箱
Okta(可选;如未配置则跳过)
- - OKTAORGURL:Okta组织URL(例如,https://mycompany.okta.com)
- OKTAAPITOKEN:Okta API令牌
命令
- - 运行IDP证据扫描:对已配置的提供商运行所有检查
- 检查Google Workspace MFA:运行Google MFA检查
- 检查Okta密码策略:运行Okta密码策略检查
- 显示IDP集成健康状态:上次同步、错误、证据数量
使用方法
所有证据通过auditclaw-grc技能的db_query.py脚本存储在共享GRC数据库~/.openclaw/grc/compliance.sqlite中。
运行完整证据扫描(所有已配置的提供商):
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all
为特定提供商运行检查:
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --provider google
python3 scripts/idp_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --provider okta
运行特定检查:
python3 scripts/idpevidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks googlemfa,okta_mfa
检查类别(8项)
| 检查项 | 提供商 | 验证内容 |
|---|
| googlemfa | Google Workspace | 所有活跃用户已注册并强制执行2SV |
| googleadmins |
Google Workspace | 超管数量2-4个,全部启用2SV |
|
google_inactive | Google Workspace | 无活跃用户的lastLoginTime超过90天 |
|
google_passwords | Google Workspace | 所有用户的passwordStrength == STRONG |
|
okta_mfa | Okta | 所有活跃用户至少注册1个MFA因素 |
|
okta_passwords | Okta | 密码策略:minLength>=12,history>=5,maxAttempts<=5,maxAge<=90 |
|
okta_inactive | Okta | 无活跃用户的lastLogin超过90天 |
|
okta_sessions | Okta | 需要MFA,会话生命周期<=12小时,空闲<=1小时 |
证据存储
每项检查产生的证据项存储时包含:
- - source: idp
- type: automated
- controlid:映射到相关的SOC2/ISO/NIST/HIPAA控制项
- description:人类可读的发现摘要
- filecontent:检查结果的JSON详情
设置指南
AuditClaw支持两个身份提供商。配置其中一个或两个。
Google Workspace设置
步骤1:启用Admin SDK API
前往Google Cloud Console → APIs & Services → Library → 启用Admin SDK API
步骤2:创建服务账号
IAM & Admin → Service Accounts → 创建。启用域范围委派。
步骤3:授予OAuth范围
在Google Admin → Security → API controls → Domain-wide delegation中,添加服务账号并授予:
- - https://www.googleapis.com/auth/admin.directory.user.readonly
- https://www.googleapis.com/auth/admin.reports.audit.readonly
步骤4:设置环境变量
- - GOOGLEWORKSPACESAKEY=/path/to/service-account.json
- GOOGLEWORKSPACEADMINEMAIL=admin@yourdomain.com
Okta设置
步骤1:创建API令牌
Okta Admin → Security → API → Tokens → 创建令牌。名称:auditclaw-scanner
步骤2:所需权限
令牌继承创建管理员的权限。需要对用户、因素、策略具有读取权限。
范围:okta.users.read、okta.factors.read、okta.policies.read
步骤3:设置环境变量
- - OKTAORGURL=https://mycompany.okta.com
- OKTAAPITOKEN=your-token-here
验证连接
运行:python3 {baseDir}/scripts/idp_evidence.py --test-connection
具体权限记录在scripts/idp-permissions.json中。使用以下命令查看:
python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider idp
